Plug-in module lies about news at coffee shops. Real or Fake?

[Mike] sent in a tip about Newstweek, and we’re turning to our readers to tell us if this is real or if we’re being trolled. The link he sent us points to a well-written news-ish article about a device that plugs into the wall near an open WiFi hotspot and performs something of a man-in-the-middle attack on devices connected to the access point. The article describes the device above as it observes, then spoofs the ARP table of the wireless network in order to inject fake news stories in pages you are reading. Apparently once it boots, the small box phones home for commands from its maker over a TOR connection.

The box reminds us of the Sheevaplug so it’s not the hardware that makes us question the possibility of the device. But look at the Linux terminal screen readout. It shows a prompt with the word ‘newstweek’ in it. That’s the address of the site the article is hosted on, giving us a strong sense of being trolled.

What do you think, real or fake? Let us know (and why you think that) in the comments.

off topic, making an automated wifi sniffer to leave at coffy shops and alike to sniff out “useful” info could be both an issue and pritty effective, not sure how many people use credit card details or paypal while at random wifi’s but more than enough people check there emails and throw in personal info

Looks legit to me – judging from the link egasimus already posted and another one ( http://www.imperica.com/features/newstweek ) it seems like it’s an art project – and a pretty complex and well-executed one, too.

Seems plausible, I did something similar to a workmate who always checked the stock market instead of working. I whipped up a program to perform an ARP man in the middle, DNS spoofing and started modifying his stock ticker info :) The numbers were wildly incorrect so he was not going to act on them.

The article is a artistic fabrication for sure, but the device itself is probably real.

The article has way too much technical information to be a real news article. The ‘security expert’ mentioned in the article, Zdzislaw Kotla, is actually a Polish Olympic sailor. The links on the top banner are all useless. The pictures at the end of the article link to the authors’ homepages. The last line is pretty funny: “Note the black hat worn by what may be a colleague in the first photograph.”

Focussing on the site itself;
1. None of their “most popular” stories show any hits in a Google search (actually, none of their stories have).
2. I cannot find any other stories on the site as the headlines are not links (neither are the “Subscribe”, facebook or twitter links).
3. The images in the article are stock photos (despite one being captioned to imply the woman in the picture is the woman in the story)
4. I haven’t seen this story on any other sites.
5. there is a link at the bottom of the page to JulianOlivier.com (in the copyright list, labeled “Oliver”). A few co-incidences arise on there.

Based solely on the site reporting it, I call troll.

I can’t comment on the technical aspect of the device as I don’t know enough about this sort of thing.

On watching the video;
1. The “device” is referred to as the “Newstweek device”
2. The presenter uses an N900 phone for the demonstration. The same model was reported as handed into a police station in the article.

The beauty of the internet is that every position is absolutely equal to the next.. Every hop retransmits data. This retransmission has the potential ability to modify the data it receives. Because of this, the “Backbone” creates a hierarchy.

If you’d like to recreate a ARP redirection, download a program on your Android telephone called “Shark for Root”. It performs an ARP Spoofing where every time someone requests “who is the router”, your phone will say “I’m the router”… All data goes through your phone and is logged. The data is then retransmitted to the Router and noone is the wiser.

Now, This is a simple spoof. It is used for diagnostic purposes. When you want to find out about problems on networks, you use a protocol analyzer with ARP spoofing capabilities. It allows you to look at the packets being sent and see what’s causing the problems you are experiencing.

If you take this diagnostic process one step further… As data is received, it can be modified before it is sent out. This is a man-in-the-middle attack. It is not a high-tech or hard to recreate process. It’s a matter of working with data at a low level of the OSI model.

If you’d like to make your own man-in-the-middle.. Get a small ARM computer, like a Android phone, get linux up and running, then find a way to compile Ettercap onto it. All data received by Ettercap can be changed and modified. Also, look up dnsspoof, webmitm fragrouter and ssldump.

If you want to go a bit bigger, you can install Backtrack onto a small i386 nettop computer and it has all the tools you need. Set up the backtrack computer as a firewall on your network and let it rock’n’roll.

Remembers me of that guy who had a open wireless network where he installed a transparent web proxy that would replace all (or some) images on any web page with images from some cats web site, which then got complains of people that said they hacked their computer. Hilarious! Cannot find the URL right now, though.

So, this incarnation of this gadget is “art,” but it has real implications. This has been going on as long as there’ve been hot spots.

The potential for monitoring of those in the cafe (or wherever) is a big deal, but the reverse risk (of a remote attacker being able to appear to be anywhere) is a big deal too. Now you can’t trust the logs of what you saw. For all you know I was half way across the world when I published that tweet or facebook message from the cafe across the street.

Whether or not this device is legit or not, it *is* possible to pull off. To pull it off, not only would you need the website to not be using SSL, but you’d need an HTTP server running, plus a way to re-format incoming pages on-the-fly. Regardless, with something like a Sheevaplug, I could see it being possible.

It has an atheros chipset, and so would be compatible with Karma and Jasager (http://www.digininja.org/jasager/) as was demonstrated on hak5 as Chris Muncy correctly mentioned and so there is a great possibility it is real!

This seems to me more like an art project or “prove of concept” to remind people not to believe every that they may read on the internet – by showing how easy it is to manipulate information. My guess: the device is real, the story behind it is not.

OK so if i read the page right. it injects or changes news? As far as making changes to a page, what good is this even if it were true? A random person looks at a random news page and see something not real. if he forwards it to a friend the friend is going to see the real story (unless the link changes also) and most people will Look at multiple sources of news for the “full story” thus any misinformation would stand out. This being the case it is a lot of work for iffy results.
On the other hand if it were placed there by someone (cia, kgb, police, others)to funnel targeted information to a targeted person who was known to come often to an establishment (we are creatures of habit) then it might be useful and true.
As for a wi-fi snoop .. all bets are off. I am sure if it is real it dose just that alone.

Look into ettercap filters. This should be possible on any linux device with a wifi card. The card wouldn’t even need to support injection. It would even work over SSL, but the targets would get invalid certificate warnings that they would most likely ignore anyway. As far as modern routers having ARP table checksums like xorpunk mentioned, you’d be surprised how many modern routers this works on. A lot of new routers may have this feature, but I come across one yet.

Is it possible to do this? Sure, but to work wirelessly most setups would need two wireless cards: one to listen and the other to broadcast the fake data. When I tried 802.11 hackery, most wireless chips would not allow you to send packets while they were in monitor mode listening to other devices that were not connected. On an unencrypted network, one wireless port listens for a request for a news site, the device crafts a packet to mimic what the AP should respond with, and broadcasts that packet over the second wireless port. Since this device doesn’t have the latency of a remote server, it gets to respond before the actual news.com server can, and the real reply looks like an echo.

But that website, with all it’s stock photos, looks pretty fishy to me.

Obviously a fake, if you check around in the newstweek website everything is fake except this article, if you follow the links and checkout the names you’ll discover that it’s two artists behind this site.

device is clearly real, so trivial to build it’s not even funny. website is a parody, if that’s not obvious upon reading it then the reader is a sucker. it’s another proof of concept that is getting good press because they have a good pr instinct.

@NatureTM: have you seen most browsers’ invalid cert pages? It’s like it’s warning you about the imminent end of the world.
SSLstrip would be much cleaner; they would simply get an HTTP version of the site.

So the point is to inject fake news stories into real news feeds. The fake news is, presumably, retrieved from the newstweek website. Yet some figure the project is fake because the news from the newstweek site is fake?

If it is real then it probably only works on feeds from one site (Newsweek) or at least a limited number. Programming a device and doing individual injections for a variety of sites would be a great pain the ass. The device probably isn’t specifically made for doing such things, but rather remote network injection. The author probably just wanted an interesting hook on their story, and probably only did this once as a proof of concept, or worse, a joke.

It looks to be a real device. Probably a sheevaplug that has been repackaged with BusyBox Linux. Then using arp-spoofing like many of the hotels do. The can create their own news stories. Don’t know if this a proof-of-concept device but it has all the makings of a real item.

The antenna exhibits poor engineering. I question whether it would even present an acceptable swr to the transceiver. To perform within typical expectations it would need to be attached to a metal chassis, plate, or at least some counterpoise. If it works then range is less than expected.

@IceBrain
Yeah, I’ve seen those. They are pretty intimidating these days. Good point about SSLstrip. The thing is, when a person wants to say check their bank balance over some https site, they see the warning and probably have a little freak out, unplug their router, restart their computer, etc. When none of this stuff works, they usually just say, “f*** it, what could be the harm?” Then they accept the invalid cert, the site loads normally, and they forget about it. A lot of people seem care about security until it becomes a hassle. They disable their AV because it nags them to update. They disable UAC in Windows because it makes them click a button one or two extra times. You can warn people all you want, but if they get a little annoyed, you can usually expect them to do something stupid.